Page MenuHomePhabricator
Create Task
Maniphest T201779

Have a check to prevent non-existent accounts from being added to LDAP groups
Open, MediumPublic
Actions

Description

To prevent T199557#4490609 from ever happening again, there should be a check that ensures the account exists, before actually adding them to the LDAP group.

Setting priority to high since this has a security impact.

Related Objects

Event Timeline

Legoktm triaged this task as High priority.Aug 12 2018, 8:03 AM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2018, 8:03 AM
Aklapper added a project: LDAP.Aug 12 2018, 12:44 PM
MoritzMuehlenhoff claimed this task.Aug 13 2018, 3:06 PM

I'll add this to the existing account consistency check.

Legoktm added a subscriber: Dzahn.Sep 8 2018, 1:07 AM

@MoritzMuehlenhoff I think this needs to be something integrated into whatever tool is being used to add people to LDAP rather than something after the fact. It happened again today: https://tools.wmflabs.org/sal/log/AWW1Q3TLwY2u4JUTIzpe

Dzahn added a comment.Sep 8 2018, 2:13 AM

This lasted mere seconds. Shouldn't have logged it before confirming.

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:15 PM
Legoktm added a comment.Jul 9 2019, 10:54 PM

Bump, this happened again: T224110: Non-existent users in the archiva-deployers LDAP group.

If someone could document what script is being used to do this, I can look into writing a patch.

Dzahn added a comment.Jul 9 2019, 11:57 PM
In T201779#5319806, @Legoktm wrote:

Bump, this happened again: T224110: Non-existent users in the archiva-deployers LDAP group.

If someone could document what script is being used to do this, I can look into writing a patch.

I use " modify-ldap-group" to make changes to LDAP groups. But then there is also "ldapvi" which others might be using. It's possible that modify-ldap-group does more checks than ldapvi which is more "raw" editing.

chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:05 PM
RobH unsubscribed.Mar 3 2020, 6:00 PM
Legoktm merged a task: T256692: modify-ldap-group should make it impossible to add users who don't exist to a group.Jun 29 2020, 10:33 PM
Legoktm added a subscriber: ssingh.
MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Oct 29 2020, 10:30 AM
MoritzMuehlenhoff lowered the priority of this task from High to Medium.
MoritzMuehlenhoff added a project: User-MoritzMuehlenhoff.
LSobanski added a project: Infrastructure-Foundations.Jan 5 2023, 11:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL